1ovn-controller(8) OVN Manual ovn-controller(8)
2build/.PP
6
8 ovn-controller - Open Virtual Network local controller
9
11 ovn-controller [options] [ovs-database]
12
14 ovn-controller is the local controller daemon for OVN, the Open Virtual
15 Network. It connects up to the OVN Southbound database (see ovn-sb(5))
16 over the OVSDB protocol, and down to the Open vSwitch database (see
17 ovs-vswitchd.conf.db(5)) over the OVSDB protocol and to ovs-vswitchd(8)
18 via OpenFlow. Each hypervisor and software gateway in an OVN deployment
19 runs its own independent copy of ovn-controller; thus, ovn-controller’s
20 downward connections are machine-local and do not run over a physical
21 network.
22
24 ACL log messages are logged through ovn-controller’s logging mechanism.
25 ACL log entries have the module acl_log at log level info. Configuring
26 logging is described below in the Logging Options section.
27
29 Daemon Options
30 --pidfile[=pidfile]
31 Causes a file (by default, program.pid) to be created indicating
32 the PID of the running process. If the pidfile argument is not
33 specified, or if it does not begin with /, then it is created in
34 .
35 If --pidfile is not specified, no pidfile is created.
37 --overwrite-pidfile
39 By default, when --pidfile is specified and the specified pid‐
40 file already exists and is locked by a running process, the dae‐
41 mon refuses to start. Specify --overwrite-pidfile to cause it to
42 instead overwrite the pidfile.
43 When --pidfile is not specified, this option has no effect.
45 --detach
47 Runs this program as a background process. The process forks,
48 and in the child it starts a new session, closes the standard
49 file descriptors (which has the side effect of disabling logging
50 to the console), and changes its current directory to the root
51 (unless --no-chdir is specified). After the child completes its
52 initialization, the parent exits.
53 --monitor
55 Creates an additional process to monitor this program. If it
56 dies due to a signal that indicates a programming error (SIGA‐
57 BRT, SIGALRM, SIGBUS, SIGFPE, SIGILL, SIGPIPE, SIGSEGV, SIGXCPU,
58 or SIGXFSZ) then the monitor process starts a new copy of it. If
59 the daemon dies or exits for another reason, the monitor process
60 exits.
61 This option is normally used with --detach, but it also func‐
63 tions without it.
64 --no-chdir
66 By default, when --detach is specified, the daemon changes its
67 current working directory to the root directory after it
68 detaches. Otherwise, invoking the daemon from a carelessly cho‐
69 sen directory would prevent the administrator from unmounting
70 the file system that holds that directory.
71 Specifying --no-chdir suppresses this behavior, preventing the
73 daemon from changing its current working directory. This may be
74 useful for collecting core files, since it is common behavior to
75 write core dumps into the current working directory and the root
76 directory is not a good directory to use.
77 This option has no effect when --detach is not specified.
79 --no-self-confinement
81 By default this daemon will try to self-confine itself to work
82 with files under well-known directories whitelisted at build
83 time. It is better to stick with this default behavior and not
84 to use this flag unless some other Access Control is used to
85 confine daemon. Note that in contrast to other access control
86 implementations that are typically enforced from kernel-space
87 (e.g. DAC or MAC), self-confinement is imposed from the user-
88 space daemon itself and hence should not be considered as a full
89 confinement strategy, but instead should be viewed as an addi‐
90 tional layer of security.
91 --user=user:group
93 Causes this program to run as a different user specified in
94 user:group, thus dropping most of the root privileges. Short
95 forms user and :group are also allowed, with current user or
96 group assumed, respectively. Only daemons started by the root
97 user accepts this argument.
98 On Linux, daemons will be granted CAP_IPC_LOCK and
100 CAP_NET_BIND_SERVICES before dropping root privileges. Daemons
101 that interact with a datapath, such as ovs-vswitchd, will be
102 granted three additional capabilities, namely CAP_NET_ADMIN,
103 CAP_NET_BROADCAST and CAP_NET_RAW. The capability change will
104 apply even if the new user is root.
105 On Windows, this option is not currently supported. For security
107 reasons, specifying this option will cause the daemon process
108 not to start.
109 Logging Options
111 -v[spec]
112 --verbose=[spec]
113 Sets logging levels. Without any spec, sets the log level for
114 every module and destination to dbg. Otherwise, spec is a list of
115 words separated by spaces or commas or colons, up to one from each
116 category below:
117 · A valid module name, as displayed by the vlog/list command
119 on ovs-appctl(8), limits the log level change to the speci‐
120 fied module.
121 · syslog, console, or file, to limit the log level change to
123 only to the system log, to the console, or to a file,
124 respectively. (If --detach is specified, the daemon closes
125 its standard file descriptors, so logging to the console
126 will have no effect.)
127 On Windows platform, syslog is accepted as a word and is
129 only useful along with the --syslog-target option (the word
130 has no effect otherwise).
131 · off, emer, err, warn, info, or dbg, to control the log
133 level. Messages of the given severity or higher will be
134 logged, and messages of lower severity will be filtered
135 out. off filters out all messages. See ovs-appctl(8) for a
136 definition of each log level.
137 Case is not significant within spec.
139 Regardless of the log levels set for file, logging to a file will
141 not take place unless --log-file is also specified (see below).
142 For compatibility with older versions of OVS, any is accepted as a
144 word but has no effect.
145 -v
147 --verbose
148 Sets the maximum logging verbosity level, equivalent to --ver‐
149 bose=dbg.
150 -vPATTERN:destination:pattern
152 --verbose=PATTERN:destination:pattern
153 Sets the log pattern for destination to pattern. Refer to
154 ovs-appctl(8) for a description of the valid syntax for pattern.
155 -vFACILITY:facility
157 --verbose=FACILITY:facility
158 Sets the RFC5424 facility of the log message. facility can be one
159 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
160 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
161 local4, local5, local6 or local7. If this option is not specified,
162 daemon is used as the default for the local system syslog and
163 local0 is used while sending a message to the target provided via
164 the --syslog-target option.
165 --log-file[=file]
167 Enables logging to a file. If file is specified, then it is used
168 as the exact name for the log file. The default log file name used
169 if file is omitted is /var/log/ovn/program.log.
170 --syslog-target=host:port
172 Send syslog messages to UDP port on host, in addition to the sys‐
173 tem syslog. The host must be a numerical IP address, not a host‐
174 name.
175 --syslog-method=method
177 Specify method as how syslog messages should be sent to syslog
178 daemon. The following forms are supported:
179 · libc, to use the libc syslog() function. Downside of using
181 this options is that libc adds fixed prefix to every mes‐
182 sage before it is actually sent to the syslog daemon over
183 /dev/log UNIX domain socket.
184 · unix:file, to use a UNIX domain socket directly. It is pos‐
186 sible to specify arbitrary message format with this option.
187 However, rsyslogd 8.9 and older versions use hard coded
188 parser function anyway that limits UNIX domain socket use.
189 If you want to use arbitrary message format with older
190 rsyslogd versions, then use UDP socket to localhost IP
191 address instead.
192 · udp:ip:port, to use a UDP socket. With this method it is
194 possible to use arbitrary message format also with older
195 rsyslogd. When sending syslog messages over UDP socket
196 extra precaution needs to be taken into account, for exam‐
197 ple, syslog daemon needs to be configured to listen on the
198 specified UDP port, accidental iptables rules could be
199 interfering with local syslog traffic and there are some
200 security considerations that apply to UDP sockets, but do
201 not apply to UNIX domain sockets.
202 · null, to discard all messages logged to syslog.
204 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
206 able; if it is unset, the default is libc.
207 PKI Options
209 PKI configuration is required in order to use SSL for the connections
210 to the Northbound and Southbound databases.
211 -p privkey.pem
213 --private-key=privkey.pem
214 Specifies a PEM file containing the private key used as
215 identity for outgoing SSL connections.
216 -c cert.pem
218 --certificate=cert.pem
219 Specifies a PEM file containing a certificate that certi‐
220 fies the private key specified on -p or --private-key to be
221 trustworthy. The certificate must be signed by the certifi‐
222 cate authority (CA) that the peer in SSL connections will
223 use to verify it.
224 -C cacert.pem
226 --ca-cert=cacert.pem
227 Specifies a PEM file containing the CA certificate for ver‐
228 ifying certificates presented to this program by SSL peers.
229 (This may be the same certificate that SSL peers use to
230 verify the certificate specified on -c or --certificate, or
231 it may be a different one, depending on the PKI design in
232 use.)
233 -C none
235 --ca-cert=none
236 Disables verification of certificates presented by SSL
237 peers. This introduces a security risk, because it means
238 that certificates cannot be verified to be those of known
239 trusted hosts.
240 --bootstrap-ca-cert=cacert.pem
242 When cacert.pem exists, this option has the same effect
243 as -C or --ca-cert. If it does not exist, then the exe‐
244 cutable will attempt to obtain the CA certificate from
245 the SSL peer on its first SSL connection and save it to
246 the named PEM file. If it is successful, it will immedi‐
247 ately drop the connection and reconnect, and from then on
248 all SSL connections must be authenticated by a certifi‐
249 cate signed by the CA certificate thus obtained.
250 This option exposes the SSL connection to a man-in-the-
252 middle attack obtaining the initial CA certificate, but
253 it may be useful for bootstrapping.
254 This option is only useful if the SSL peer sends its CA
256 certificate as part of the SSL certificate chain. The SSL
257 protocol does not require the server to send the CA cer‐
258 tificate.
259 This option is mutually exclusive with -C and --ca-cert.
261 --peer-ca-cert=peer-cacert.pem
263 Specifies a PEM file that contains one or more additional
264 certificates to send to SSL peers. peer-cacert.pem should
265 be the CA certificate used to sign the program’s own cer‐
266 tificate, that is, the certificate specified on -c or
267 --certificate. If the program’s certificate is self-
268 signed, then --certificate and --peer-ca-cert should
269 specify the same file.
270 This option is not useful in normal operation, because
272 the SSL peer must already have the CA certificate for the
273 peer to have any confidence in the program’s identity.
274 However, this offers a way for a new installation to
275 bootstrap the CA certificate on its first SSL connection.
276 Other Options
278 -h
279 --help
280 Prints a brief help message to the console.
281 -V
283 --version
284 Prints version information to the console.
285
287 ovn-controller retrieves most of its configuration information from the
288 local Open vSwitch’s ovsdb-server instance. The default location is
289 db.sock in the local Open vSwitch’s "run" directory. It may be overrid‐
290 den by specifying the ovs-database argument as an OVSDB active or pas‐
291 sive connection method, as described in ovsdb(7).
292 ovn-controller assumes it gets configuration information from the fol‐
294 lowing keys in the Open_vSwitch table of the local OVS instance:
295 external_ids:system-id
297 The chassis name to use in the Chassis table.
298 external_ids:hostname
300 The hostname to use in the Chassis table.
301 external_ids:ovn-bridge
303 The integration bridge to which logical ports are
304 attached. The default is br-int. If this bridge does not
305 exist when ovn-controller starts, it will be created
306 automatically with the default configuration suggested in
307 ovn-architecture(7).
308 external_ids:ovn-bridge-datapath-type
310 This configuration is optional. If set, then the datapath
311 type of the integration bridge will be set to the config‐
312 ured value. If this option is not set, then ovn-con‐
313 troller will not modify the existing datapath-type of the
314 integration bridge.
315 external_ids:ovn-remote
317 The OVN database that this system should connect to for
318 its configuration, in one of the same forms documented
319 above for the ovs-database.
320 external_ids:ovn-monitor-all
322 A boolean value that tells if ovn-controller should moni‐
323 tor all records of tables in ovs-database. If set to
324 false, it will conditionally monitor the records that is
325 needed in the current chassis.
326 It is more optimal to set it to true in use cases when
328 the chassis would anyway need to monitor most of the
329 records in ovs-database, which would save the overhead of
330 conditions processing, especially for server side. Typi‐
331 cally, set it to true for environments that all workloads
332 need to be reachable from each other.
333 Default value is false.
335 external_ids:ovn-remote-probe-interval
337 The inactivity probe interval of the connection to the
338 OVN database, in milliseconds. If the value is zero, it
339 disables the connection keepalive feature.
340 If the value is nonzero, then it will be forced to a
342 value of at least 1000 ms.
343 external_ids:ovn-openflow-probe-interval
345 The inactivity probe interval of the OpenFlow connection
346 to the OpenvSwitch integration bridge, in seconds. If the
347 value is zero, it disables the connection keepalive fea‐
348 ture.
349 If the value is nonzero, then it will be forced to a
351 value of at least 5s.
352 external_ids:ovn-encap-type
354 The encapsulation type that a chassis should use to con‐
355 nect to this node. Multiple encapsulation types may be
356 specified with a comma-separated list. Each listed encap‐
357 sulation type will be paired with ovn-encap-ip.
358 Supported tunnel types for connecting hypervisors are
360 geneve and stt. Gateways may use geneve, vxlan, or stt.
361 Due to the limited amount of metadata in vxlan, the capa‐
363 bilities and performance of connected gateways will be
364 reduced versus other tunnel formats.
365 external_ids:ovn-encap-ip
367 The IP address that a chassis should use to connect to
368 this node using encapsulation types specified by exter‐
369 nal_ids:ovn-encap-type.
370 external_ids:ovn-bridge-mappings
372 A list of key-value pairs that map a physical network
373 name to a local ovs bridge that provides connectivity to
374 that network. An example value mapping two physical net‐
375 work names to two ovs bridges would be: phys‐
376 net1:br-eth0,physnet2:br-eth1.
377 external_ids:ovn-encap-csum
379 ovn-encap-csum indicates that encapsulation checksums can
380 be transmitted and received with reasonable performance.
381 It is a hint to senders transmitting data to this chassis
382 that they should use checksums to protect OVN metadata.
383 Set to true to enable or false to disable. Depending on
384 the capabilities of the network interface card, enabling
385 encapsulation checksum may incur performance loss. In
386 such cases, encapsulation checksums can be disabled.
387 external_ids:ovn-cms-options
389 A list of options that will be consumed by the CMS Plugin
390 and which specific to this particular chassis. An example
391 would be: cms_option1,cms_option2:foo.
392 external_ids:ovn-transport-zones
394 The transport zone(s) that this chassis belongs to.
395 Transport zones is a way to group different chassis so
396 that tunnels are only formed between members of the same
397 group(s). Multiple transport zones may be specified with
398 a comma-separated list. For example: tz1,tz2,tz3.
399 If not set, the Chassis will be considered part of a
401 default transport zone.
402 external_ids:ovn-chassis-mac-mappings
404 A list of key-value pairs that map a chassis specific mac
405 to a physical network name. An example value mapping two
406 chassis macs to two physical network names would be:
407 physnet1:aa:bb:cc:dd:ee:ff,physnet2:a1:b2:c3:d4:e5:f6.
408 These are the macs that ovn-controller will replace a
409 router port mac with, if packet is going from a distrib‐
410 uted router port on vlan type logical switch.
411 external_ids:ovn-is-interconn
413 The boolean flag indicates if the chassis is used as an
414 interconnection gateway.
415 ovn-controller reads the following values from the Open_vSwitch data‐
417 base of the local OVS instance:
418 datapath-type from Bridge table
420 This value is read from local OVS integration bridge row
421 of Bridge table and populated in external_ids:datapath-
422 type of the Chassis table in the OVN_Southbound database.
423 iface-types from Open_vSwitch table
425 This value is populated in external_ids:iface-types of
426 the Chassis table in the OVN_Southbound database.
427 private_key, certificate, ca_cert, and bootstrap_ca_cert from
429 SSL table
430 These values provide the SSL configuration used for con‐
431 necting to the OVN southbound database server when an SSL
432 connection type is configured via exter‐
433 nal_ids:ovn-remote. Note that this SSL configuration can
434 also be provided via command-line options, the configura‐
435 tion in the database takes precedence if both are
436 present.
437
439 ovn-controller uses a number of external_ids keys in the Open vSwitch
440 database to keep track of ports and interfaces. For proper operation,
441 users should not change or clear these keys:
442 external_ids:ovn-chassis-id in the Port table
444 The presence of this key identifies a tunnel port within
445 the integration bridge as one created by ovn-controller
446 to reach a remote chassis. Its value is the chassis ID of
447 the remote chassis.
448 external_ids:ct-zone-* in the Bridge table
450 Logical ports and gateway routers are assigned a connec‐
451 tion tracking zone by ovn-controller for stateful ser‐
452 vices. To keep state across restarts of ovn-controller,
453 these keys are stored in the integration bridge’s Bridge
454 table. The name contains a prefix of ct-zone- followed by
455 the name of the logical port or gateway router’s zone
456 key. The value for this key identifies the zone used for
457 this port.
458 external_ids:ovn-localnet-port in the Port table
460 The presence of this key identifies a patch port as one
461 created by ovn-controller to connect the integration
462 bridge and another bridge to implement a localnet logical
463 port. Its value is the name of the logical port with type
464 set to localnet that the port implements. See exter‐
465 nal_ids:ovn-bridge-mappings, above, for more information.
466 Each localnet logical port is implemented as a pair of
468 patch ports, one in the integration bridge, one in a dif‐
469 ferent bridge, with the same external_ids:ovn-local‐
470 net-port value.
471 external_ids:ovn-l2gateway-port in the Port table
473 The presence of this key identifies a patch port as one
474 created by ovn-controller to connect the integration
475 bridge and another bridge to implement a l2gateway logi‐
476 cal port. Its value is the name of the logical port with
477 type set to l2gateway that the port implements. See
478 external_ids:ovn-bridge-mappings, above, for more infor‐
479 mation.
480 Each l2gateway logical port is implemented as a pair of
482 patch ports, one in the integration bridge, one in a dif‐
483 ferent bridge, with the same external_ids:ovn-l2gate‐
484 way-port value.
485 external-ids:ovn-l3gateway-port in the Port table
487 This key identifies a patch port as one created by
488 ovn-controller to implement a l3gateway logical port. Its
489 value is the name of the logical port with type set to
490 l3gateway. This patch port is similar to the OVN logical
491 patch port, except that l3gateway port can only be bound
492 to a paticular chassis.
493 external-ids:ovn-logical-patch-port in the Port table
495 This key identifies a patch port as one created by
496 ovn-controller to implement an OVN logical patch port
497 within the integration bridge. Its value is the name of
498 the OVN logical patch port that it implements.
499
501 ovn-controller reads from much of the OVN_Southbound database to guide
502 its operation. ovn-controller also writes to the following tables:
503 Chassis
505 Upon startup, ovn-controller creates a row in this table
506 to represent its own chassis. Upon graceful termination,
507 e.g. with ovs-appctl -t ovn-controller exit (but not
508 SIGTERM), ovn-controller removes its row.
509 Encap Upon startup, ovn-controller creates a row or rows in
511 this table that represent the tunnel encapsulations by
512 which its chassis can be reached, and points its Chassis
513 row to them. Upon graceful termination, ovn-controller
514 removes these rows.
515 Port_Binding
517 At runtime, ovn-controller sets the chassis columns of
518 ports that are resident on its chassis to point to its
519 Chassis row, and, conversely, clears the chassis column
520 of ports that point to its Chassis row but are no longer
521 resident on its chassis. The chassis column has a weak
522 reference type, so when ovn-controller gracefully exits
523 and removes its Chassis row, the database server automat‐
524 ically clears any remaining references to that row.
525 MAC_Binding
527 At runtime, ovn-controller updates the MAC_Binding table
528 as instructed by put_arp and put_nd logical actions.
529 These changes persist beyond the lifetime of ovn-con‐
530 troller.
531
533 ovs-appctl can send commands to a running ovn-controller process. The
534 currently supported commands are described below.
535 exit Causes ovn-controller to gracefully terminate.
537 ct-zone-list
539 Lists each local logical port and its connection tracking
540 zone.
541 meter-table-list
543 Lists each meter table entry and its local meter id.
544 group-table-list
546 Lists each group table entry and its local group id.
547 inject-pkt microflow
549 Injects microflow into the connected Open vSwitch
550 instance. microflow must contain an ingress logical port
551 (inport argument) that is present on the Open vSwitch
552 instance.
553 The microflow argument describes the packet whose for‐
555 warding is to be simulated, in the syntax of an OVN logi‐
556 cal expression, as described in ovn-sb(5), to express
557 constraints. The parser understands prerequisites; for
558 example, if the expression refers to ip4.src, there is no
559 need to explicitly state ip4 or eth.type == 0x800.
560 connection-status
562 Show OVN SBDB connection status for the chassis.
563 recompute
565 Trigger a full compute iteration in ovn-controller based
566 on the contents of the Southbound database and local OVS
567 database.
568 This command is intended to use only in the event of a
570 bug in the incremental processing engine in ovn-con‐
571 troller to avoid inconsistent states. It should therefore
572 be used with care as full recomputes are cpu intensive.
573OVN 20.03.0 ovn-controller ovn-controller(8)